A recent study by IT scientists recognised potential threats for users’ privacy in browser functionality barely used or unnecessary for websites. Blocking such rarely needed extra tools could reduce risks and, consequently, improve security.

Nowadays, browsers offer a wide range of features, with new functionalities added every day. However, some of them may not be exploited at all while requiring access to sensitive information, creating an unnecessary risk for the users.

The study has been carried out by a team of researchers at the University of Illinois at Chicago, who noted the issues concerning the use of browser to surf the internet.

The graduate student Peter Snyder and his colleagues at UIC, reflected on the pro and cons of website requiring up to 74 functionalities, collectively referred to as Application Programming Interface (API), investigating frequency of use and level of threat for privacy and security. Some of the features, were flagged as potentially ‘blockable’, due to the low benefit to the users and the high threat for their privacy.

“For example, browsers allow websites to perform low-level graphics calculations,” said Snyder. “We found that this functionality is rarely used on honest websites, but that malicious sites can use it to harm users’ privacy and security.” Allowing all websites to access this feature is “a bad cost-benefit trade-off,” Snyder explained.

Other example of functionalities with low-benefit high-risks nature were identified in codes that allow browsers perform advanced audio synthesis operations, execute fine-grained timing operations and detect light levels in a room.

The researchers chose Firefox as test browser, due to its popularity and open-source availability. However, as Synder explained, the findings can be generalised to the other browsers, such as Chrome and Internet Explorer, as they share a similar pattern of capabilities and present an almost identical suite of functionalities.

“Ultimately, we saw that about 25 percent of web API posed high risks to security and privacy and could be blocked without breaking websites,” Snyder said. He explained that by blocking risky functionality, the amount of code a website can access is also reduced. “The less code you have available through the web API, the safer websites you’ll have.”

Taking in consideration the new discovery, Synder’s team developed a browser extension that allow users to identify the hidden functionalities of websites and eventually block them, in order to improve security in the web surfing sections.

The team of researchers, including the assistant professors of computer science at UIC Cynthia Taylor and Chris Kanichm will present the findings at the Association for Computing Machinery Conference on Computer and Communications Security in Dallas on October 31.

Written by: Pietro Paolo Frigenti

Journal Reference: Parmet S. (2017). Bloated browser functionality presents unnecessary security, privacy risks. UIC Today.